sudo & Sox compliance

UNIX for Advanced & Expert Users
1

Hello,

I am trying to convince my boss to stop allowing our users to login as root (superuser). Currently our users login to our unix server with their own account, then as needed, they will do an su and put in the root password.

This scares me, for a bunch of reasons. Mainly, one is that we still use telnet, not ssh, which I am also trying to enforce as well. Secondly, some of our users who have root access, have little to no unix knowledge, whatsoever. This can be very dangerous...

What I proposed to my boss is, that we do not give out the root password anymore. Instead, using sudo, give users access to certain commands/scripts. Then they can simply do 'sudo command' ... And then none of them ever have to type in the root password, and everything they do as su, is logged in the sudoers.log file..

My boss wants to know how sudo fits in with SOX , if it is compliant with SOX, if SOX has any restrictions with using sudo, etc.

Also , we need to know how sudo complies with HIPPA. As we are soon to become HIPPA compliant. Which brings me to telnet, which I fear, is not HIPPA, compliant, in that it has no security , and data can be captured with relative ease...

Any information would be greatly appreciated, Thank you

2

Short answer: your current security as explained is a violation of Sarbanes-Oxley. Furthermore, if you are publicly traded, you're going to look bad in any sox-compliance audit. Get security help.

Test for publicly traded companies including their contractors, vendors or anyone with system access:
If su or sudo lets somebody, like programmers or accountants or data entry clerks or even the company president, have direct unaudited access to any file or data transmission used for input to or generated by AR, AP... any accounting/financial reporting, then it won't fly.

HIPPA - if sudo lets any non-HR person in my business (or doing work for my business as a consultant, contractor, etc.) lookup somebody else's private records without their prior authorization, then I am not in compliance. That is the test you apply. Private records = medical records, drug test records, insurance information, direct deposit information, etc.

Just get security help. Obviously, your boss does not listen to you. He will be forced to listen when it dings his department's budget. That's how it works in small companies - consultants get listened to.